Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5773
Views
16
Helpful
6
Replies

Restricting NTP Access on a Router

jws1986
Level 1
Level 1

‎12-11-2019 06:34 AM - edited ‎12-11-2019 06:35 AM

I have an internet facing Cisco 891F router that I have been requested to make some NTP changes on. The current and only NTP configuration has the router looking to 3 different public time servers.

ntp server 1.1.1.1

ntp server 2.2.2.2

ntp server 3.3.3.3

When querying that routers IP address with an NTP tool it responds as server, which we do not want. I don't want to prevent this router from getting ntp from the public servers. I just want to prevent any client on the internet from querying this router for NTP.  I don't have much experience with ACLs and the terminology for query-only, serve, peer, and serve-only have been a bit confusing for me.

 

Am I headed in the right direction with this?

 

access-list 46 remark utility ACL to block everything
access-list 46 deny any
!
access-list 47 remark NTP peers/servers we sync to/with
access-list 47 permit 1.1.1.1
access-list 47 permit 2.2.2.2

access-list 47 permit 3.3.3.3
access-list 47 deny any
!
! NTP access control
ntp access-group query-only 46 ! deny all NTP control queries
ntp access-group serve 46 ! deny all NTP time and control by default
ntp access-group peer 47 ! permit sync to configured peer(s)/server(s)
ntp access-group serve-only 46 ! deny NTP time sync requests

 

Labels:
0 Helpful
6 Replies 6

jws1986
Level 1
Level 1

‎12-12-2019 06:37 AM

Anyone? 

0 Helpful

paul driver
VIP
VIP

‎12-12-2019 07:48 AM - edited ‎12-12-2019 07:52 AM

Hello

You just want you router to be able to accept ntp update from those servers

access-list 10 permit 1.1.1.1
access-list 10 permit 2.2.2.2
access-list 10 permit 3.3.3.3
ntp server 1.1.1.1
ntp server 2.2.2.2
ntp server 3.3.3.3
ntp access-group peer 10


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

jws1986
Level 1
Level 1
In response to paul driver

‎12-12-2019 07:51 AM

Yes I do want that. But I also want to prevent any internet source from accessing this router as an NTP server. 

0 Helpful

paul driver
VIP
VIP
In response to jws1986

‎12-12-2019 08:09 AM

Hello

@jws1986 wrote:

Yes I do want that. But I also want to prevent any internet source from accessing this router as an NTP server. 

Well try and test that config i posted - it should just allow communication betwen those ntp servers and your rtr


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

JustoSocarras27727
Level 1
Level 1
In response to paul driver

‎10-05-2020 03:58 PM

Thank you Paul!!, it worked for me.

paul driver
VIP
VIP
In response to JustoSocarras27727

‎10-06-2020 01:30 AM

Hello

Gald to hear - Can you please maked as solve as to assist others in the future.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card